Threat Spotlight: KONNI – A Stealthy Remote Access Trojan

Overview

In early July, TALOS blogged about a new variant of the KONNI remote access trojan (RAT), a malware family they discovered and wrote about in another blog post in early May. As an active threat under development, we decided to take a closer look at this RAT to understand some of its inner workings and capabilities. Our analysis confirms the excellent investigative work done by TALOS and expands on what they found.

Threat Background

On July 3rd, 2017, North Korea completed a successful intercontinental ballistic missile (ICBM) launch test, dubbed “Hwasong-14”. The launch, according to North’s state-run Korean Central News Agency, successfully tested the functions of the missile’s two propulsive stages and the warhead’s ability to endure the intense heat and vibrations as it entered the earth’s atmosphere.

As a result of this, another KONNI campaign was launched.

According to TALOS, previous KONNI campaigns targeting North Korea included:

The motivation behind these campaigns is uncertain, however it does appear to be geared towards espionage against targets who would be interested in North Korean affairs.

In addition to TALOS investigation on KONNI, on July 18 2017, BitDefender released a whitepaper on a DarkHotel campaign titled ‘Bitdefender-Whitepaper-Inexsmar-A4-en-EN.’ What’s interesting about this whitepaper is that it included a SHA 1 hash (a6c7a7bcaabc3584b1fb4d6aeb66ec158b65d444) of a malicious dropper called ‘Pyongyang Directory Group email SEPTEMBER 2016 RC_OFFICE_Coordination_Associatewxcod.scr.’

On execution, the dropper launches a word document that is similar to the one used in campaign, ‘Pyongyang Directory Group email April 2017 RC_Office_Coordination_Associate.scr.’

We have included two screenshots, Figure 1 and Figure 2, to show the comparison of these two documents, as well as their differences:

Figure 1. Document Comparison

Figure 2. Document Comparison

Impact

KONNI is a uniquely crafted RAT which leverages basic anti-analysis techniques, social engineering, and intelligence gathering features. KONNI has been seen to be distributed through phishing campaigns.

The social engineering techniques deployed by KONNI allows the malware to hide in the background while users are duped into executing its payload. KONNI’s intelligence gathering techniques gives the malware the ability to profile an organization’s interconnected computer systems through host enumeration, keystroke logging, and screen captures. The information that gets collected can then be used to craft specific attacks based on the information that was scraped.

Attacks leveraging social engineering techniques and intelligence gathering can be devastating for the companies involved, as these attacks target user’s (very human) emotions of trust, and can lead to a total take over.

Analysis Overview

The sample the Cylance Threat Guidance team analyzed was a Windows 32-bit executable, compiled with Microsoft Visual C++ v10 on 07/04/2017. The following sections include information about the variant’s internal configuration and dynamic behavior.

Physical Structural Overview

Examining the executable statically, we noticed some interesting strings within the resource section, which are shown in Figure 3.

Figure 3. Resource Section

Investigating further, we identified functions from the Kernel32.dll module that can be used to locate and extract binaries from the resource section. Figure 4 shows some of these functions, which include FindResourceA, LoadResource, LockResource, SizeResource, and WriteFile.

Figure 4. Kernel32.dll Functions

An examination of the resource section shows two embedded documents and two dynamic link libraries (DLLs), this being a 32-bit DLL packed with Aspack and a 64-bit DLL packed with UPX. Notably, both samples retain similar strings in their file version information section.

Table 1. Comparison of File Version Info of 32- and 64-bit DLLs

The location of the first embedded document can be found at offset 0xBA48 and the second document can be found at offset 0x31AAC, shown in Figure 5 and 6.

Figure 5. PKZIP_0xBA4B

Figure 6. PKZIP_0x31AAC

The location of the first DLL is located at offset 0xFAAC and the second DLL is located at offset 0x214AC, seen in Figure 7 and 8.

Figure 7. DLL sha256 Hash Located at offset_0xFAAC

Figure 8. DLL Located at offset_0x214AC

Dynamic Behavior Overview

When the file is executed, it will create a Windows directory under the current user’s local settings folder with the path MFAData\\event, and extract two malicious DLLs if it’s executed on a 64-bit OS, or one DLL if executed on a 32-bit OS. It will then write to the registry path of HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run and create a key value called RTHDVCP or RTHDVCPE based on the architecture of the infected environment.

This registry path is commonly used for auto-persistence, as it will autostart a process after a successful login. Once the task is completed, the parent process terminates and the file deletes itself.

Figure 9. Dynamic Behavior Overview

Once the dropped DLL (hereafter referred to as virus-dl.dll) is initiated, it will use RegOpenKeyExA to open the registry key path of HCKU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\InstallDate and query the value of the key using RegQueryValueA to check if the host has already been infected, this check can be found at offset 0x6830 and is seen in Figure 10.

Figure 10. Fingerprint Infected Host

Core Capabilities of Virus-DLL.DLL

Keylogging. Virus-dl.dll captures keystrokes by using SetWindowsHookExW. The captured keys are written to a log file located under the current user’s local settings folder at Packages\\microsoft\\debug.tmp, which can be found at offset 0x6989, and is shown in Figure 11 and Figure 12.

Figure 11. Keylogging

Figure 12. Log File

Host Enumeration. virus-dl.dll collects the operating system information and installed software of the infected host, shown at offset 0x6D87 in Figure 13 below.

Figure 13. Collect OS Details and Installed Software

Intelligence Gathering. virus-dl.dll contains the ability to collect the hostname and IP Address of the infected host, which is seen at offset 0x6B70 in Figure 14.

Figure 14. Collect IP Address and Hostname Information

Host Profiling. virus-dl.dll contains the ability to collect the computer name, username, and logical drive information of the infected host, this can found at offset 0x6C0C and shown in Figure 15.

Figure 15. Collect Username and Logical Drive Information.

Screen Capture. virus-dl.dll capture screenshots by leveraging the Graphics Device Interface (GDI) functions, which can be found at offset 0x6E80 and is described in Figure 16.

Figure 16. Screen Capture

Additional information on screenshots captures works can be read from the below Microsoft MSDN link.

Data Exfiltration. Virus-dl.dll contains the ability to upload collected intel to a C2 server, this can be found at offset 0x7629 and is illustrated in Figure 17.

Figure 17. Upload Information

The DLL pulls down instructions every 15 minutes from a C2 server. This can be found at offset 0x78A0 and is highlighted in Figure 18 and Figure 19.

Figure 18. Download Instructions

Figure 19. HTTP Response Body

The information exchanged between the C2 server and virus-dl.dll is decrypted using a two byte XOR key, which can be found at offset 0x74D0 and seen in Figure 20.

Figure 20. XOR Decryption

Conclusion

The KONNI malware is a relatively new RAT. The implemented features are straightforward to analyze and there has been little attempt to mask the malware’s true purpose. The basic features for a backdoor are all present, including host profiling and remote access and control.

Given the recent attention, we expect to see new variants surface in the coming months with better obfuscation and perhaps additional capabilities.

If you use our endpoint protection product CylancePROTECT®, you were already protected from this attack. If you don't have CylancePROTECT, contact us to learn how our AI-driven solution can predict and prevent unknown and emerging threats.

The Cylance Threat Research TeamThe Cylance Threat Research team examines malware and suspected malware to better identify its abilities, function and attack vectors. Threat Research is on the frontline of information security and often deeply examines malicious software, which puts us in a unique position to discuss never-seen-before threats.Author's Bio